name: Terraform Apply

on:
  push:
    branches:
      - master

jobs:
  terraform:
    name: "Terraform Apply"
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Create secrets.tfvars
        working-directory: terraform
        run: |
          cat > secrets.auto.tfvars << EOF
          pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
          EOF
          cat > backend.hcl << EOF
          bucket                      = "${{ secrets.B2_TF_BUCKET }}"
          key                         = "terraform.tfstate"
          region                      = "us-east-005"
          endpoints = {
            s3 = "${{ secrets.B2_TF_ENDPOINT }}"
          }
          access_key                  = "$(printf '%s' "${{ secrets.B2_KEY_ID }}" | tr -d '\r\n')"
          secret_key                  = "$(printf '%s' "${{ secrets.B2_APPLICATION_KEY }}" | tr -d '\r\n')"
          skip_credentials_validation = true
          skip_metadata_api_check     = true
          skip_region_validation      = true
          skip_requesting_account_id  = true
          use_path_style              = true
          EOF

      - name: Set up Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: 1.6.6

      - name: Terraform Init
        working-directory: terraform
        run: terraform init -reconfigure -backend-config=backend.hcl

      - name: Terraform Plan
        working-directory: terraform
        run: terraform plan

      - name: Terraform Apply
        working-directory: terraform
        run: terraform apply -auto-approve

      - name: Enroll VMs in Tailscale
        env:
          TS_AUTHKEY: ${{ secrets.TS_AUTHKEY }}
          TAILSCALE_ENROLL_HOSTS: ${{ secrets.TAILSCALE_ENROLL_HOSTS }}
          VM_SSH_PRIVATE_KEY: ${{ secrets.VM_SSH_PRIVATE_KEY }}
        run: |
          if [ -z "$TS_AUTHKEY" ] || [ -z "$TAILSCALE_ENROLL_HOSTS" ] || [ -z "$VM_SSH_PRIVATE_KEY" ]; then
            echo "Skipping Tailscale enrollment (missing TS_AUTHKEY, TAILSCALE_ENROLL_HOSTS, or VM_SSH_PRIVATE_KEY)."
            exit 0
          fi

          install -m 700 -d ~/.ssh
          printf '%s\n' "$VM_SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa

          for host in $(printf '%s' "$TAILSCALE_ENROLL_HOSTS" | tr ',' ' '); do
            echo "Enrolling $host into Tailscale"
            ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.ssh/id_rsa "micqdf@$host" \
              "echo '$TS_AUTHKEY' | sudo tee /etc/tailscale/authkey >/dev/null && sudo chmod 600 /etc/tailscale/authkey && sudo systemctl start tailscale-firstboot.service"
          done